Re: [ipsec-next,v6,12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
From: Simon Horman
Date: Wed Mar 11 2026 - 15:58:24 EST
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
This patch adds a new netlink method to migrate a single xfrm_state.
Unlike the existing migration mechanism (SA + policy), this supports
migrating only the SA and allows changing the reqid.
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index 4b29ab92c2a7..ae2a1cf2311a 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -683,11 +683,17 @@ struct xfrm_migrate {
> xfrm_address_t new_daddr;
> xfrm_address_t new_saddr;
> struct xfrm_encap_tmpl *encap;
> - struct xfrm_user_offload *xuo;
> + struct xfrm_user_offload xuo;
[ ... ]
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index 2f23ca5b62a9..de8b038fc08c 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -4642,6 +4642,19 @@ static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate,
> return 0;
> }
>
> +/* Fill migrate fields that are invariant in XFRM_MSG_MIGRATE: inherited
> + * from the existing SA unchanged.
> + */
> +static void xfrm_migrate_copy_old(struct xfrm_migrate *mp,
> + const struct xfrm_state *x)
> +{
> + mp->smark = x->props.smark;
> + mp->new_reqid = x->props.reqid;
> + mp->nat_keepalive_interval = x->nat_keepalive_interval;
> + mp->mapping_maxage = x->mapping_maxage;
> + mp->new_mark = x->mark;
> +}
> +
> int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
> struct xfrm_migrate *m, int num_migrate,
> struct xfrm_kmaddress *k, struct net *net,
> @@ -4680,7 +4693,10 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
> x_cur[nx_cur] = x;
> nx_cur++;
> mp->encap = encap;
> - mp->xuo = xuo;
> + if (xuo)
> + mp->xuo = *xuo;
^^^^
> xfrm_migrate_copy_old(mp, x);
>
What happens to mp->xuo when xuo is NULL?
The xfrm_migrate structure changed its xuo field from a pointer
(struct xfrm_user_offload *xuo) to an embedded value
(struct xfrm_user_offload xuo).
In xfrm_migrate(), when the xuo parameter is NULL (PF_KEY path via
pfkey_migrate, or XFRM_MSG_MIGRATE without XFRMA_OFFLOAD_DEV), the
'if (xuo) mp->xuo = *xuo' branch is skipped, leaving mp->xuo with
uninitialized stack data.
Both callers declare 'struct xfrm_migrate m[XFRM_MAX_DEPTH]' on the
stack without zeroing:
net/key/af_key.c:pfkey_migrate() {
struct xfrm_migrate m[XFRM_MAX_DEPTH];
...
err = xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,
k.local && k.remote ? &k : NULL, net,
NULL, 0, NULL);
}
net/xfrm/xfrm_user.c:xfrm_do_migrate() {
struct xfrm_migrate m[XFRM_MAX_DEPTH];
...
err = xfrm_migrate(&sel, dir, type, m, n, k, net, encap, xuo, extack);
}
The uninitialized mp->xuo.ifindex is later read in
xfrm_state_migrate_create() and xfrm_state_migrate_install():
net/xfrm/xfrm_state.c:xfrm_state_migrate_create() {
...
/* configure the hardware if offload is requested */
if (m->xuo.ifindex && xfrm_dev_state_add(net, xc, &m->xuo, extack))
goto error;
}
net/xfrm/xfrm_state.c:xfrm_state_migrate_install() {
...
if (xfrm_state_add(xc) < 0) {
NL_SET_ERR_MSG(extack, "Failed to add migrated state");
if (m->xuo.ifindex)
xfrm_dev_state_delete(xc);
...
}
}
If the stack garbage contains a non-zero ifindex value,
xfrm_dev_state_add() will be called with random ifindex and flags,
potentially causing spurious hardware offload attempts or migration
failures.
Previously, 'mp->xuo = xuo' unconditionally set the pointer to NULL in
these paths, which was then properly checked as 'if (m->xuo)'.
Should mp->xuo be zero-initialized when xuo is NULL, either by adding
'else memset(&mp->xuo, 0, sizeof(mp->xuo))' after the if-block, or by
zero-initializing the m[] arrays in the callers?